1.1.32 Ensure that the admission control policy is set to NodeRestriction

Information

Limit the 'Node' and 'Pod' objects that a kubelet could modify.

Rationale:

Using the 'NodeRestriction' plug-in ensures that the kubelet is restricted to the 'Node' and 'Pod' objects that it could modify as defined. Such kubelets will only be allowed to modify their own 'Node' API object, and only modify 'Pod' API objects that are bound to their node.

Solution

Follow the Kubernetes documentation and configure 'NodeRestriction' plug-in on kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--admission-control' parameter to a value that includes 'NodeRestriction'.

--admission-control=...,NodeRestriction,...

Impact:

None

See Also

https://workbench.cisecurity.org/files/1788

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: f237978d0f1758e36e11db527f6058de5c4e63d39194521a3753db3f61874bb4